Concerns galore over Ancestry.com’s handling of customers’ DNA data

June 8, 2018

Ancestry.com currently stores DNA information and other personal details of over 5 million people but security experts are cautioning users to remain vigilant over how their DNA information is used by the company and how secure the company's systems are against external attacks.

Last year, hackers had successfully breached RootsWeb, a site owned and operated by Ancestry, but even though the hack had resulted in the compromise of 55,000 customer accounts, the firm said the customer data stored by it were kept in completely separate systems and were secured by an encrypted system whose keys were with Ancestry.

Customers must stay vigilant about data security

Despite Ancestry's assurances, security experts are urging customers to remain vigilant and to ensure that they use strong security processes to ensure their accounts are not breached by hackers.

"Bad actors are constantly trying to engineer new ways of bypassing security measures; however, two-factor authentication still offers stronger security than the classic one-factor authentication.

"To avoid account takeovers with stolen username and passwords, two-factor authentication can be combined with other security layers such as passive biometrics and behavioral analytics, so that if one layer fails or is not reliable, another layer of security takes over, protecting the customers' accounts even if the credentials have been stolen," said Ryan Wilk, vice president at NuData Security.

"While two-factor authentication can help verify that the user has the correct device, behavioural analytics, and passive biometrics allow you to learn and trust the user’s behavior both in and across the session. This way you put the trust on the human instead of the device.

"With passive biometrics, customers are identified by their behaviour online and not by static data such as passwords or one-time codes. This inherent behaviour cannot be duplicated by hackers, even if they use correct static data, devaluing stolen credentials and protecting the customer account," he added.

"With the rise of do-it-yourself genetic testing, we’ve entered a brave new world of data that can be bought, sold and hacked accordingly. Data doesn’t get much more personal than your own DNA. While consumers who use these services shouldn’t shy away entirely, they should educate themselves," says Ken Spinner, Vice President at Varonis.

"Know what you’re getting into whenever you willingly provide information to a third party: That goes for your name and address or your genetic blueprint. Ask yourself if the benefit you will receive surpasses the risk.

"When a breach becomes public knowledge, companies are quick to post FAQs and issue statements on the attack covering what they know, how they’re protecting data and what they will do moving forward. At that point the damage has already been done. How much confidence should consumers place in these statements? If your DNA is for sale on the dark web, it’s too late. If you’re a company that handles consumer data, you’ve got to ensure you’re putting the time and resources into protecting it," he adds.

Leaked DNA records can have serious consequences

According to Rashmi Knowles, EMEA Field CTO at RSA Security, if hackers are able to gain access to one's genetic identity, it can result in potentially much more serious consequences.

"No matter how secure the organisation, no one is completely risk-free, and if breached, genetic data could be sold on hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There’s even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future.

"When being asked to provide such a highly sensitive level of personal information, you need to think carefully to decide if the benefit outweighs the risk. If you do choose to provide genetic data to an organisation, it’s vital to enable the maximum security settings, turning on features such as two-factor authentication once available, and check what you are ‘agreeing’ to when sharing it.

"The key is to understand the risks and make an informed choice about how and what data you share," she adds.

About The Author

Jay Jay is a freelance technology writer for teiss. He has previously written news articles, device reviews and features for Mobile Choice UK website and magazine, as well as writing extensively for SC Magazine UK, Tech Radar, Indian Express, and Android Headlines.

The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security has issued an advisory concerning critical flaws in the Conexus telemetry protocol in cardio defibrillators issued …